Wordpress SQLi — how to find

Aug 27, 2017 · 2 min read

Few days back I wrote about SQLi in wp https://medium.com/websec/wordpress-sqli-bbb2afcc8e94, but only described the issues ( few months back was described publicly already, with my post I was pointing towards this issue as security issue, not as bad usage and not following the api docs from plugin/themes devs) in the DBprepare method and I gave a sample with delete_metadata vulnerable function. For those who are watching/monitoring the wp eco system closely from infosec aspect everything is clear, they have finished their job long time ago, but the rest of the developers have no idea what is happening under the hood and that is not good! (this opens another topic regarding reporting/handling security issues in the wp world, but this will be covered later)

Here I’ll give a guide, how to check if your own plugins are vulnerable to SQLi caused by this method (you can check another plugins too, atm I have few popular plugins that I can’t contact them, because finding the right contact info is real pain… ):

  • Check if there is user input in the $query parameter when you useprepare.
  • Best results give searching for this pattern $wpdb->prepare(*IN over some code base. This way you can find what and when was fixed in the past too, when you look at the implode directives above it.
  • Check for get_search_sql method implementation in the class-wp-(most-of-them)-query.php when this function have 2+ parameters e.g. $search_columns is set. There are most of the time applied filters on this variable before passed to the method. Also keep an eye on it when it is implemented in the plugins specific query class.
  • get_page_by_title function when is called with 3rd parameter and this parameter have any chance to be from the input.
  • delete_metadata called with 5 parameters where 4th parameter is set from user input and 5th parameter is true .

When I say user input it doesn’t mean it is only HTTP request for that place. Could be any input from files, database, http requests.

In case you use this knowledge and locate SQLi in some plugin ( I have found 10+ of them in quite popular plugins ) after you finish the reporting/fixing/disclosure procedure, drop me a note to add it to the list I make.

Oh, almost to forgot, I plan to release the patch I have proposed 10 months ago for this method, but this time with little tweak and I’ll release it after the patch that will be provided by the wp team, if they do that in the next month or two…


Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store